Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C1FA32171 for ; Fri, 19 Apr 2019 01:13:45 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C5111466 for ; Fri, 19 Apr 2019 01:13:44 +0000 (UTC) Received: by mail-pg1-f171.google.com with SMTP id e6so1964869pgc.4 for ; Thu, 18 Apr 2019 18:13:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yT6PfSv443p4uDhw/igxyFr+3njN3i8ax0G8NvTnQjM=; b=FHEpLZ75T5vhM8DpXMeHQUEBG2oH3eGe3rEd/pk3vfzdP3uy06RuHPNssJgorLfSun RDlsz2J+ShR/cEJazQ1gFUdg5IEtMcvsCSsVRlMlZT8NJntfIKQHn2HL3t8agMdQY0ib +1b2SrDoPEP/t7S7uyHbNiF+qwlVHUKbvMcdkx4xj46iCIaTaOU9ELvTft22ahHdzv9O jSM2mCdkH0VscUlZrg5w35X8xjHvhMkbpj9TbZB1sCreV6LPpf6iDiyyfbYsA1V4K+2j efTQpcJKyt1/Ko9ZKz977tD+EPYawrNYzdbyMbpq0kOM6FM67HmdppNFaBGH+7FEghym fNXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yT6PfSv443p4uDhw/igxyFr+3njN3i8ax0G8NvTnQjM=; b=kSSWlLQbfMaQ5CMfwGYVgXqSS8YCHkK9W0be0ZTgZXWGYczZdYgXom7Ig0bbgCmyPP Xz+my34lc7/7Ycvms8xy0Gfh+qcgAnsE1E7buTUCkZnRpzGBjZDTpHU/L0YQBt0GyBEC vUyyg/o0RJMY5KLP4HWb1vIr4HGcUpIEvsc1qOE3O4Vti9lX3JB4RhA9MUArMtEw7lVZ QfaGQ9nI6vvMTfBAA4f8b2Azqhll99YrInX2jjWNmIy0qyJOenMqlMfb9gH8W4UfjigR ewt3tNZ/8YpOmDzxPF/1tZdNjLTfkli0MtAJUTiVbJYJyzu6bJ2qOrqP/Ta4cJeFvQkw T5ww== X-Gm-Message-State: APjAAAXMgYUqLkAKzBtPZ+9yG4obucfs/0wg8F7TO1Vt2gv6d28+alAa jERSmbUlePqYsbEYOlkrvirJdlqbAoHM714iT+k= X-Google-Smtp-Source: APXvYqzTpSrluTw8tiinKIlfMa1OeqbliaNk0T5oHxR6oR+k1Tl0GNew/y4LKkG4viMXwiwG706S+3bQhTFDH5blwcw= X-Received: by 2002:aa7:8096:: with SMTP id v22mr903329pff.94.1555636423952; Thu, 18 Apr 2019 18:13:43 -0700 (PDT) MIME-Version: 1.0 References: <-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com> In-Reply-To: From: Ethan Heilman Date: Thu, 18 Apr 2019 21:13:07 -0400 Message-ID: To: ZmnSCPxj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 19 Apr 2019 13:57:03 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Apr 2019 01:13:45 -0000 Hi ZmnSCPxj, Let's see if I understand what you are saying. In your scenario chain A consists of honest miners (10% of the hash rate) and chain B (90% of the hash rate) consists of dishonest miners who are inflating the coin supply. Chain A: S, S+1 Chain B: S, S+1 (invalid), S+2, S+3, S+4, S+5, S+6, S+7, S+8, S+9 Chain B S+1 has a invalid coinbase >At around height S+9, the minority miners generate an alternate block at h= eight S+1. So SPV nodes download S+9 and S+8 on the longer chain, and see n= othing wrong with those blocks. What I am suggesting is that when the minority miners generate an alternate block at S+1 (chain A) the SPV node would download blocks S+1 and S+2 from chain B (the dishonest chain). Since S+1 has the invalid coinbase the SPV node would learn that chain B is invalid and abandon it. Bitcoin is in big trouble if a malicious party controls 90% of the mining power. The malicious miners can spend +11% of their mining power ensuring that the honest chain never reaches consensus by continuously forking it. The malicious miners can then extend their favored chain using the other 79% of the mining power. This would produce a scenario in which users are forced to choose between a stable chain that violates a consensus rule and an unstable honest chain that is completely unusable and which never pays out mining rewards. I agree that SPV nodes and many wallets would make this even worse especially in their current condition where they just trust the hash rate/wallet provider and there are no fraud proofs. On Thu, Apr 18, 2019 at 8:25 PM ZmnSCPxj wrote: > > Good morning Ethan, > > > Sent with ProtonMail Secure Email. > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original = Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > On Friday, April 19, 2019 4:12 AM, Ethan Heilman wrote= : > > > I'm probably repeating a point which has been said before. > > > > > I suppose a minority miner that wants to disrupt the network could si= mply create a valid block at block N+1 and deliberately ignore every other = valid block at N+1, N+2, N+3 etc. that it did not create itself. > > > > If this minority miner has > 10% of network hashrate, then the rule of > > thumb above would, on average, give it the ability to disrupt the > > SPV-using network. > > > > Proposed rule: > > Whenever a chainsplit occurs SPV clients should download and validate > > the "longest chain" up to more than one block greater than the height > > of the losing chain. > > > > Lets say a block split causes chain A and chain B: Chain A is N blocks > > long, chain B is M blocks long, and N < M. Then the SPV client should > > download all the block data of N+1 blocks from Chain B to verify > > availability of chain B. Once the SPV client has verified that chain B > > is available they can use fraud proofs determine if chain B is valid. > > Let us then revert to the original scenario. > Suppose a supermajority (90%) of miners decide to increase inflation of t= he currency. > > They do this by imposing the rule: > > 1. For 1 block, the coinbase is 21,000,000 times the pre-fork coinbase v= alue. > 2. For 9 blocks, the coinbase is the pre-fork value. > 3. Repeat this pattern every 10 blocks. > > The above is a hardfork. > However, as they believe that SPV nodes dominate the economy, this mining= supermajority believes it can take over the network hashpower and impose i= ts will on the network. > > At height S+1, they begin the above rule. > This implies that at heights S+1, S+11, S+21, s+31... the coinbase violat= es the pre-hardfork rules. > > At around height S+9, the minority miners generate an alternate block at = height S+1. > So SPV nodes download S+9 and S+8 on the longer chain, and see nothing wr= ong with those blocks. > > At around height S+18, the minority miners generate an alternate block at= height S+2. > So SPV nodes download S+18, S+17, S+16 and again see nothing wrong with t= hose blocsk. > > This can go on for a good amount of time. > With a "rare enough" inflation event, miners may even be able to spend so= me coinbases on SPV nodes that SPV nodes become unwilling to revert to the = minority pre-hardfork chain, economically locking in the post-hardfork infl= ation. > > Again: every rule is an opportunity to loophole. > > Regards, > ZmnSCPxj > > > An attacker could use this to force SPV clients to download 1 block > > per block the attacker mines. This is strictly weaker security than > > provided by a full-node because chain B will only be validated if the > > client knows chain A exists. If the SPV client's view of the > > blockchain is eclipsed then the client will never learn that chain A > > exists and thus never validate chain B's availability nor will the > > client be able to learn fraud proofs about chain B. A full node in > > this circumstance would notice that the chain B is invalid and reject > > it because a full node would not depend on fraud proofs. That being > > said this rule would provide strictly more security than current SPV > > clients. > > > > On Thu, Apr 18, 2019 at 3:08 PM ZmnSCPxj via bitcoin-dev > > bitcoin-dev@lists.linuxfoundation.org wrote: > > > > > Good morning Ruben, > > > Sent with ProtonMail Secure Email. > > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origi= nal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 > > > On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev bit= coin-dev@lists.linuxfoundation.org wrote: > > > > > > > Simplified-Payment-Verification (SPV) is secure under the assumptio= n > > > > that the chain with the most Proof-of-Work (PoW) is valid. As many > > > > have pointed out before, and attacks like Segwit2x have shown, this= is > > > > not a safe assumption. What I propose below improves this assumptio= n > > > > -- invalid blocks will be rejected as long as there are enough hone= st > > > > miners to create a block within a reasonable time frame. This still > > > > doesn=E2=80=99t fully inoculate SPV clients against dishonest miner= s, but is a > > > > clear improvement over regular SPV (and compatible with the privacy > > > > improvements of BIP157[0]). > > > > The idea is that a fork is an indication of potential misbehavior -= - > > > > its block header can serve as a PoW fraud proof. Conversely, the la= ck > > > > of a fork is an indication that a block is valid. If a fork is crea= ted > > > > from a block at height N, this means a subset of miners may disagre= e > > > > on the validity of block N+1. If SPV clients download and verify th= is > > > > block, they can judge for themselves whether or not the chain shoul= d > > > > be rejected. Of course it could simply be a natural fork, in which > > > > case we continue following the chain with the most PoW. > > > > > > I presume you mean a chain split? > > > > > > > The way Bitcoin currently works, it is impossible to verify the > > > > validity of block N+1 without knowing the UTXO set at block N, even= if > > > > you are willing to assume that block N (and everything before it) i= s > > > > valid. This would change with the introduction of UTXO set > > > > commitments, allowing block N+1 to be validated by verifying whethe= r > > > > its inputs are present in the UTXO set that was committed to in blo= ck > > > > N. An open question is whether a similar result can be achieved > > > > without a soft fork that commits to the UTXO set[0][1]. > > > > If an invalid block is created and only 10% of the miners are hones= t, > > > > on average it would take 100 minutes for a valid block to appear. > > > > During this time, the SPV client will be following the invalid chai= n > > > > and see roughly 9 confirmations before the chain gets rejected. It = may > > > > therefore be prudent to wait for a number of confirmations that > > > > corresponds to the time it may take for the conservative percentage= of > > > > miners that you think may behave honestly to create a block (includ= ing > > > > variance). > > > > > > I suppose a minority miner that wants to disrupt the network could si= mply create a valid block at block N+1 and deliberately ignore every other = valid block at N+1, N+2, N+3 etc. that it did not create itself. > > > If this minority miner has > 10% of network hashrate, then the rule o= f thumb above would, on average, give it the ability to disrupt the SPV-usi= ng network. > > > > > > > 10% of network hashrate to disrupt the SPV-using nodes would be a r= ather low bar to disruption. > > > > Consider that SPV-using nodes would be disrupted, without this rule= , only by >50% network hashrate. > > > > > > It is helpful to consider that every rule you impose is potentially a= loophole by which a new attack is possible. > > > Regards, > > > ZmnSCPxj > > > > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > >